K
Q

Istio - namespace-level access control is applied to only a single value in the list

8/13/2019

I'm running Istio 1.2.3 in a GKE environment. I've set up the sock-shop demo-application, and am trying to configure HTTP authorization on namespace-level. I've enabled istio's RBAC, and am running the following Servicerole:

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: service-viewer
  namespace: default
spec:
  rules:
  - services: ["*"]
    methods: ["GET"]
    constraints:
    - key: "destination.labels[name]"
      values: ["front-end", "catalogue", "catalogue-db", "carts", "carts-db", "queue-master", "rabbitmq", "orders", "orders-db"]

and the following ServiceRoleBinding:

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: bind-service-viewer
  namespace: default
spec:
  subjects:
  - properties:
      source.namespace: "istio-system"
  - properties:
      source.namespace: "default"
  roleRef:
    kind: ServiceRole
    name: "service-viewer"

the sock-shop has been deployed in the default namespace, whereas istio, as usual, is deployed in the istio-system namespace.

However, when i connect to the website, only the front-end loads. The front-end is supposed to fetch the catalogue and carts pages. However, as seen in kiali, 100% of the traffic going from the front-end to catalogue and carts ends with a 5xx response code. If i remove istio's RBAC, traffic flows succesfully.

-- Patrick Weyn
google-kubernetes-engine
istio
rbac

Similar Questions

Docker entrypoint permission denied
Kubernetes POD can't send messages via websockets
Is it possible to get container host path from environment variable?
DNS Record for my Domain not getting propagated on azure-dns with dns-01 challenge

0 Answers